Idea Details

Enable PIV authentication into Policy Manager

Last activity 05-17-2019 01:42 PM
Josh Coffman's profile image
08-10-2015 03:21 PM

Federal Agencies have a mandate to implement PIV authentication for all privileged accounts. This includes accounts used in the Policy Manager application. It would be nice if Policy Manager could support multiple forms of authentication, including PIV/Smart Card.


05-17-2019 01:42 PM

Any updates on this? Passwords are slowly going extinct and using password managers/vaults is cumbersome at best; it also adds additional operational costs and maintenance to have those solutions.


Also, any enhancements to allow certificate authentication should allow us to specify a custom search expression when disambiguate the user to an IDP. Doing any explicit certificate map is difficult to manage especially when considering accepting multiple trusted CAs; and subject or any mapping directly from the cert is not valid so must be a combination of issuer and subject to ensure uniqueness.


Ideally we would be allowed to build a custom search using the attributes from the certificate so that on log in I can search for a user with a attribute containing Issuer+Subject (e.g., authorizedCertificates=<Issuer>cn=myissuer,ou=something<Subject>CN=someone,ou=blah,dc=hey,dc=you).


If the thick client is not intended to be enhanced to allow this, is the direction customers should look at the web-based version only? 

10-27-2015 05:52 PM

I have added this to the product "wish list", and have indicated community interest in the enhancement request that Eric listed above.

08-17-2015 04:09 PM

The applet is built off of the workstation Policy Manager.  I am not aware of any significant improvements in use experience between the two. The most significant difference that I can think of would be that the workstation Policy Manager ships with its own JRE while the browser-based Policy Manager is dependent upon the JRE/JDK installed with the operating system.        

08-17-2015 03:33 PM



Thank you for your reply. We had considered using the browser based Policy Manager for this very reason, but I have heard that the "installed" version of Policy Manager has a much better user experience. I might give it a shot though, just to see. Thank you!


- Josh

08-17-2015 08:45 AM

We do have an existing enhancement on file for this request (SSG-3244). I have added your organization as an interested party. It is worth noting that it might be possible to accomplish this by using the browser-based Policy Manager. The browser-based Policy Manager--by virtue of being encapsulated in a browser--can capture credentials from a smart card reader and relay the certificate to the API Gateway. You can export the certificate from the card, import it into a user account in an identity provider, and use the browser as the smart card client.